CVE Catalog

CVE-2026-10560

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints, allowing an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

Risk Assessment

The risk for the organization includes potential exposure of sensitive build-related data and the ability to disrupt system operations by canceling jobs, which may impact business continuity.

Recommendation

It is recommended to immediately upgrade IBM Langflow OSS to version 1.9.7 or later, which fixes this vulnerability, and to enforce authentication for all API endpoints.

Original NVD description (English source)

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS